| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Feb 2016 23:53:51 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "Takashi Iwai" <tiwai@...e.de>,
"Dmitry Vyukov" <dvyukov@...gle.com>
Subject: [PATCH 3.2 64/87] ALSA: control: Avoid kernel warnings from tlv
ioctl with numid 0
3.2.77-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@...e.de>
commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.
When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call. The check was
intended obviously only for a kernel driver, but not for a user
interaction. Let's fix it.
This was spotted by syzkaller fuzzer.
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1321,6 +1321,8 @@ static int snd_ctl_tlv_ioctl(struct snd_
return -EFAULT;
if (tlv.length < sizeof(unsigned int) * 2)
return -EINVAL;
+ if (!tlv.numid)
+ return -EINVAL;
down_read(&card->controls_rwsem);
kctl = snd_ctl_find_numid(card, tlv.numid);
if (kctl == NULL) {
Powered by blists - more mailing lists